One-shot setup
The fastest way to get protected:If you have multiple agents installed,
rampart quickstart will set up all detected agents.Manual setup
If you prefer to set up step-by-step, or need to set up a specific agent:Install the background service
This installs The service runs on
rampart serve as a boot service (systemd on Linux, launchd on macOS) and saves a bearer token to ~/.rampart/token:localhost:9090 by default.Wire up your agent
Choose your agent:
For agents without native hook support,
rampart wrap sets $SHELL to a policy-checking shim. Works with Aider, OpenCode, Continue, and any agent that reads the $SHELL environment variable.Test your first policy
Try running a dangerous command through the policy engine:rampart test evaluates commands against your policies without actually executing them. Perfect for testing policy changes.Use your agent normally
Once Rampart is set up, just use your agent as usual. Every command goes through the policy engine first. For Claude Code:Watch whatβs happening
See real-time policy decisions:- β Allowed commands
- π΄ Blocked commands
- π‘ Watched commands (logged for review)
- π€ Commands waiting for approval
Built-in policy profiles
Rampart ships with four policy profiles:| Profile | Default action | Use case |
|---|---|---|
standard | allow | Block dangerous, watch suspicious, allow the rest |
ci | allow | Strict mode for headless/CI β all approvals become denies |
paranoid | deny | Explicit allowlist for everything |
yolo | allow | Log-only, no blocking |
Customize your policy
When a command is blocked, Rampart tells you how to allow it:Custom rules are stored in
~/.rampart/policies/custom.yaml and wonβt be overwritten by rampart upgrade.Next steps
Writing policies
Learn YAML policy syntax, glob patterns, and approval flows
Audit trail
Explore hash-chained audit logs and SIEM integration
Project policies
Commit project-specific rules to your repo for team-shared security
Dashboard
Use the web dashboard to approve commands and test policies